Environment
Novell Open Enterprise Server 11 (OES 11) Linux Support Pack 2
Situation
Since consuming the latest SLES patches from the SUSE update repositories, it was observed that starting iManager, and navigating to the storage task, resulted in :
"File Protocol error occurred: cannot open the NSS version file on the selected server. The NSS software may not currently be running on this server. "
This effect of this error is that any iManager storage plugin related work such as managing NSS Pools, Volumes and Quota's cannot be performed using iManager.
"File Protocol error occurred: cannot open the NSS version file on the selected server. The NSS software may not currently be running on this server. "
This effect of this error is that any iManager storage plugin related work such as managing NSS Pools, Volumes and Quota's cannot be performed using iManager.
Resolution
Resolution is two-folded.
- Solution 1: Certificates in the /etc/sfcb/ folder
When everything is setup and working properly, in this folder we should see three certificate files as symbolic links.
To fix this problem manually in a terminal window, and as 'root' user, navigate to '/etc/sfcb/' folder. When the certificates (*.pem files) exist as softlinks, nothing else is required, but once the certificates exist as actual files, delete the same (be careful not to delete the sfcb.cfg file), and recreate them as symbolic links by typing :
ln -s /etc/ssl/servercerts/servercert.pem client.pem
ln -s /etc/ssl/servercerts/serverkey.pem file.pem
ln -s /etc/ssl/servercerts/servercert.pem server.pem
- Solution 2: wbem.jar
The wbem.jar file (coming from the novell-wbemservices rpm) and located here /var/opt/novell/iManager/nps/packages/ was modified to use TLS. In addition, some additional Java enumeration for Java as part of Java 1.5 and above was made.
Note :the wbem.jar is available on request via Novell Technical Support, and scheduled to be released in an upcoming OES iManager hot patch.
Steps to apply:
- Copy new wbem.jar file over the top of existing wbem.jar file in the /var/opt/novell/iManager/nps/packages/ directory and make sure the permissions and owners are the same.
"chmod 644 wbem.jar" and "chown wwwrun:www wbem.jar"- Restart novell-tomcat6 service. "rcnovell-tomcat6 restart"
Cause
There are few scenario's observed :
- Certificates in the /etc/sfcb/ folder
When everything is setup and working properly, in this folder we should see three certificate files as symbolic links, to be specific :
client.pem -> /etc/ssl/servercerts/servercert.pem
file.pem -> /etc/ssl/servercerts/serverkey.pem
server.pem -> /etc/ssl/servercerts/servercert.pemWhen the specific 'File Protocol Error' problem was observed performing any storage management, the three certificates were either entirely missing as softlinks, or existed as the actual certificates.
client.pem
file.pem
server.pem
- iManager wbem.jar.
The wbem.jar file located here /var/opt/novell/iManager/nps/packages/ is still using SSLv3.
Additional Information
To determine this iManager problem be related to the certificate issue described in this TID, the following troubleshooting was used:
In a terminal window, as 'root' user:
*** httpAdapter.c:1165 Error accepting SSL connection -- exiting
6575:error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown:s3_pkt.c:1098:SSL alert number 46
*** httpAdapter.c:1165 Error accepting SSL connection -- exiting
6576:error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown:s3_pkt.c:1098:SSL alert number 46
After recreating the certificates as softlinks described in the solution section above, the above error was no longer observed.
Additional note :
We are also actively investigating why there are actual certificates located in /etc/sfcb/, where we would expect to see them as symbolic links only.
In a terminal window, as 'root' user:
- kill sfcbd (using 'killall sfcbd')In iManager, performing storage management, the terminal window running sfcb in debug mode above, observe the following error :
- start sfcb again (as 'sfcbd -t 12288 >> /tmp/sfcbd_debug.txt')
*** httpAdapter.c:1165 Error accepting SSL connection -- exiting
6575:error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown:s3_pkt.c:1098:SSL alert number 46
*** httpAdapter.c:1165 Error accepting SSL connection -- exiting
6576:error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown:s3_pkt.c:1098:SSL alert number 46
After recreating the certificates as softlinks described in the solution section above, the above error was no longer observed.
Additional note :
We are also actively investigating why there are actual certificates located in /etc/sfcb/, where we would expect to see them as symbolic links only.